Banks Tighten Defenses Against Anthropic Mythos Risk

Multiple outlets report that Anthropic's security-focused model, Mythos, demonstrated the ability during testing to identify previously unseen software flaws and to turn them into working exploit chains, including a case that chained four vulnerabilities and one bug present for 27 years (American Banker; DarkReading). The BBC and Bloomberg describe Mythos as strikingly capable on computer-security tasks and say Anthropic has not released the model to the public, instead granting access to a limited set of organisations. Bloomberg additionally reported that a small group of unauthorised users accessed Mythos via a private online forum. Reuters reported that Goldman Sachs removed access to Anthropic's Claude for staff in Hong Kong, citing a source familiar with the matter. The BBC and DarkReading report that finance ministers, central bankers and major bank executives have raised urgent concerns and convened meetings or task forces.

Reporting by American Banker and DarkReading says Mythos was able to find both new and old vulnerabilities across browsers and operating systems during internal testing, and in at least one instance chained multiple flaws into an exploit. BBC notes Anthropic limited access to the model and provided it to select partners, including major cloud and infrastructure firms, as part of an initiative to secure critical software. Bloomberg's account describing unauthorised access was corroborated with screenshots and a live demonstration, per the story.

Editorial analysis: industry observers note that when frontier tools accelerate vulnerability discovery, the immediate response across regulated sectors typically includes access controls, contract reviews with vendors, and heightened third-party risk management. Financial regulators and central banks' involvement, as reported by the BBC and DarkReading, elevates the issue from isolated security incidents to a systemic-resilience discussion.

• •Goldman Sachs removed Anthropic access for Hong Kong bankers, Reuters reports.
• •Japan's financial leadership convened and established a task force, DarkReading reports.
• •Finance ministers discussed Mythos at the IMF meeting, the BBC reports, quoting Canada's Finance Minister François-Philippe Champagne saying the issue "is serious enough to warrant the attention of all the finance ministers."

American Banker and DarkReading highlight a remediation gap: Mythos could surface zero-day vulnerabilities faster than organisations can patch or mitigate them. The BBC and Bloomberg flag the dual concerns that the tool both accelerates discovery and, in the wrong hands, can lower the barrier to weaponising flaws. Bloomberg additionally reported limited unauthorized access via a private forum, introducing operational risk beyond the model's capabilities.

Editorial analysis: practitioners monitoring this story should treat the reported developments as a prompt to re-evaluate attack-surface scanning cadence, incident response playbooks, and vendor-contract security clauses. Observers following similar past episodes note that tightened API access controls, staged disclosure processes, and prioritized patch pipelines tend to be the immediate industry response.

Editorial analysis: watch for:

• •formal guidance from central banks or financial regulators after the task-force results reported by DarkReading and BBC
• •vendor or cloud-provider notices about contract scope and allowed-use clauses following Reuters reporting that some banks are restricting Anthropic access
• •any public remediation timelines or vulnerability disclosures tied to Mythos discoveries, which would indicate whether the remediation gap cited by American Banker is narrowing. Also monitor credible proof-of-concept code or exploit chains linked to Mythos outputs; Bloomberg's reporting of unauthorised access raises the likelihood of leaks that materially change defensive posture

What is reported about the model's capabilities and unauthorised access comes from a mix of company documentation, screenshots, and interviews with unnamed sources (Bloomberg; American Banker). Anthropic has not made Mythos publicly available, and the company's detailed internal testing data has not been released in full to the press, per BBC and Bloomberg.

Overall, multiple reputable outlets report a confluence of technical capability (rapid discovery and exploit chaining), restricted distribution, and early operational lapses (unauthorised access), with senior financial officials treating the situation as material to systemic resilience. Editorial analysis: similar episodes historically drive accelerated hardening and governance changes rather than immediate universal compromise, but they also create a period of heightened risk that security teams must manage proactively.